[Discuss] Most common (or Most important) privacy leaks

[bill at horne.net (Bill Horne)]

On 2/17/2015 8:42 AM, Edward Ned Harvey (blu) wrote:
> I see a lot of people and businesses out there, that just don't care about their own privacy.  They email passwords to each other, W2's with salary and social security information, photocopies of drivers' licenses and passports to be used by HR to complete I-9 forms...
>
> As an IT person advising a business to be more responsible, what areas do you advocate securing most urgently?  IT admin credentials?  HR records?  Financial records?  Other stuff?  Simply everything, bar none?
>
> Email is obviously a huge area of insecure information sharing.  Do you also see a lot of people storing information that should be secured in other non-private services like Dropbox, Google Drive, Box, etc?

People care a lot about their own privacy. The problem is that, by and 
large, it's /only/ their own privacy that they care about.

Those on this list whom have done penetration testing will back me up on 
this: you can touch any corporate asset on an employee's desk, but if 
you touch a purse or a cellphone, they get very interested, very 
quickly. Purses and cellphones contain information that they feel /is/ 
private, and therefore they take care to protect it.

I'll leave aside the fact that most of what's in a purse or cellphone is 
already available in databases at the various big-data vendors. What 
counts is that employees /think/ it's private, and so they act 
diligently to protect and conceal it.

Their employer's privacy is another matter. We could debate passwords 
vs. tokens vs. biometrics vs. secret handshakes, and never come close to 
"solving" the security issue, which is, bluntly put, that most workers 
don't feel any connection to the corporate goal of 'security'.  Very few 
desk jockeys have any skin in the security game, and even those who 
could lose their pension if a major breach occurred have a hard time 
connecting that "Maybe, possibly, the odd are ... " kind of abstract 
risk with their day-to-day responsibilities.

Low-level employees, even though they are the ones with the most access 
to the most sensitive personnaly-associated information, such as SSN's 
or bank account numbers (remember the "void" check you sent in to start 
direct deposit?), are not concerned with abstract corporate goals. They 
know they'll never sit in the corner office, and they know that they'll 
never drive the Porsche that the executive owns, and they know that they 
would have to have been a lot more daring and a lot more aggressive and 
a whole lot more disciplined, for years, if they had ever wanted to be 
higher up in the corporation. They do what they have to, not what's 
"right" in the eyes of we technical weenies who mouth buzzwords and 
speak in gibberish while shaming them about "security".

Shakespeare put it best - "The fault, dear Brutus, is not in our starts, 
but in ourselves, that we are underlings."

There are, of course, exceptions: those on this list have, I'd bet, 
mostly come to terms with our station in life as modern-day 
horse-whisperers who tend to complicated and failure-prone machines 
and/or software instead of to leading people. In any case, the odds are 
that we're all well above average in IQ, in income, and in the 
ever-so-elusive perception of ourselves and our place in the world.

The essence of the problem isn't technical; it's human. In military 
settings, soldiers who don't change their password on time (or whose 
passwords fail a complexity test) are assigned to low-status jobs, to 
remind them of their training. In corporate settings, it's impractical 
to demand that someone who has a password written on the bottom of a 
keyboard take a day to clean the bathroom or wash the windows, so 
there's no obvious way to coerce "secure" behavior, short of willingness 
to fire those employees who violate password or other security measures.

So long as "security" must be implemented with the cooperation of men 
and women who resent their station in life and their poor prospects for 
the future, it will be a serious problem. As Bruce Schneier so aptly 
pointed out (when critiquing the TSA's policy of confiscating bottles of 
liquid) - "There's no penalty for failure". In other words, so long as 
the consequences of lackadaisical behavior are borne by anonymous 
stockholders instead of the perpetrators, we lose.

Bill "Mister Subtlety" Horne
William Warren Consulting
Copyright (C) 2015, E.W. Horne. All Rights Reserved.

-- 
E. William Horne
339-364-8487